package com.user.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.jwt.crypto.sign.MacSigner;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

/**
 * oauth2 资源服务配置
 */
@Configuration
@EnableResourceServer //开启资源服务器功能
@EnableWebSecurity    //开启WEB访问安全
public class ResourceConfig extends ResourceServerConfigurerAdapter {

    /**
     * 资源服务器向远程认证服务器发起请求 校验token  /check_token
     * @param resources
     * @throws Exception
     */
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        //定义token服务对象
//        RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
//        //校验端点接口配置
//        remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:9009/oauth/check_token");
//        remoteTokenServices.setClientId("zgc");
//        remoteTokenServices.setClientSecret("abc123");
//        resources.tokenServices(remoteTokenServices);
//        resources.resourceId("user");//当前资源服务的id
//        JWT 验证
        resources.resourceId("user").tokenStore(tokeStore()).stateless(true) ;//配置无状态


    }

    /**
     * 定义令牌存储
     * @return
     */
    @Bean
    public TokenStore tokeStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Autowired
    private MyAccessTokeConvoter myAccessTokeConvoter;

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter(){
        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
        jwtAccessTokenConverter.setSigningKey("zgc");
        jwtAccessTokenConverter.setVerifier(new MacSigner("zgc")); //验证jwt 使用的密钥
        jwtAccessTokenConverter.setAccessTokenConverter(myAccessTokeConvoter); //解析扩展得内容
        return jwtAccessTokenConverter;
    }


    /**
     * 资源服务的接口保护与放行
     * 某些api 不需要认证
     * 某些api 需要认证
     * @param http
     * @throws Exception
     */
    @Override
    public void configure(HttpSecurity http) throws Exception {
        //session 的创建策略 根据需要创建即可
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
        http.authorizeRequests()
                .antMatchers("/user/**").authenticated()
                .anyRequest().permitAll() //其他请求不认证
        ; //需要被认证

    }
}
